RazorHost _UserList sample exposes on a Portal all user's names and emails on Host
Description
Standard RazorHost sample script _UserList returns all of the users on a DNN installation. In a situation where the site is hosting many customers as portals, this exposes the complete list of customers (users) names and email addresses if the individual portal is allowed to use the RazorHost module (default).
I tested this on a free hosting service, was able to create a bogus free portal and gain access to the complete list of users (actually got tired of waiting for all 62 thousand users to be returned ).
The attached revised script would only list out the users of the single portal, leaving responsibility of protecting the user information with that portal admin.
QA Test Plan
Activity
Verified script fix
7.3.3 build 93 platform/content clean installation and upgrade scenarios
Re-verified Platform/Content 7.3.4 build 45
The UserList sample script only returns users for a single portal where it is run
Assignee
Reporter
Story Size
Severity
Triage
Reported in Build #
Fixed in Build
Dev Owner
Includes Code Fix
Documentation Required
Trouble Ticket
Requires More Info
QA Story Points
QA Owner
Injected
Automation Required
Code Review Owner
Story Points
Components
Fix versions
Affects versions
Priority
